Saturday, May 31, 2014

The development team for the popular encryption application TrueCrypt gave users a scare, and quite a bit of fodder for conspiracy theorists the other day when out of the blue they announced that "TrueCrypt is not secure" and abruptly halted all development. A new, decrypt-only version of the product was then released so that users could migrate away from it. The Internet promptly erupted with all manner of hypotheses and far-fetched theories to try to explain the sudden shutdown of one of the few privacy tools actually trusted by the community.

Even more bizzare, and possibly more telling, was the suggestion by the developers for current users of the software to migrate to Windows BitLocker, even though it's widely considered insecure, and even though most users of TrueCrypt are probably running Linux.

What We Know

Here are the facts as I understand them:

1. TrueCrypt issues a statement out of the blue:

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

2. The statement was digitally signed with their valid private key.

3. Their key changed shortly after the statement.

4. A new, decrypt-only version of TrueCrypt was released.

5. The developers have not commented on the statement and have been silent thus far.

Theories Abound

Was this a hidden message--a so-called "canary" signal that they were under scrutiny or a gag order from a certain TLA (three letter agency)? Most die-hard nerds found the suggestion to be ludicrous. There have been rumors about Microsoft having a back door in their encryption ever since they released it; long before Snowden put the hurt on the NSA. No nerd in his right mind would recommend a closed source, single platform privacy tool over a highly regarded open source, multi-platform solution.

Or is this an indication that the development of TrueCrypt has already succumbed to some secret government demand and handed over the keys to the kingdom, allowing this TLA to undermine and shutdown what's probably been a thorn in their side. Tools like this run contrary to the surveillance state.

Maybe it was a hybrid of the two theories above: faced with a secret order to undermine or subvert their work, did they kill it rather than hand over control?

Or is it a legitimate statement, and the development team feels that their work is either insecure or has already been compromised, and they truly feel that all existing users should flock to a Windows solution and not an alternative, open source product?

Whatever the answer is, this whole thing is fishy, and the developers aren't talking, which is yet another red flag. Since TrueCrypt was probably the most trusted privacy app along with PGP, and BitLocker is probably the least trusted, my conspiracy theory is that some TLA probably found a way to shutdown one of the best and most effective privacy tools ever invented, and the development team either sent a signal with their bizarre statement, or the tone-deaf, bureaucratic entity that shut it down ineptly issued the statement itself. The developers could make all these theories go away pretty quickly if they wanted to, but they have been silent on the matter. It should be noted that their statement was signed with their valid private encryption key, and that the key suddenly changed shortly after the statement was issued.

The Way Forward

Is TrueCrypt a perfect tool which has given us perfect privacy from day one? Very doubtful. Yet another twist in the story is that TrueCrypt was right in the middle of a security audit when it shutdown. Luckily, that audit still continues. And I believe the product has already been "forked", meaning that someone has taken a snapshot of the open source code and created their own development path on it.

So regardless of what the actual facts are, TrueCrypt has always been open source, which means development (and scrutiny) of it will never go away as long as someone cares enough to maintain it, and it looks like plenty of people are stepping up.

Should we immediately discontinue use of older versions? That would be a bit premature I think. Certainly I wouldn't trust any future versions of the product. My plan is to keep using it until the forked replacement comes along, which will have even more scrutiny on the code and hopefully a completed, open security audit

It is possible to subvert open source. A trusted, skilled and determined coder could slip in what looks like a valid bug fix which is really a bug in disguise, and subsequent code reviews might even miss it. And that's not even counting the fact that encryption uses a lot of mathematical voodoo that even most software developers don't completely understand.

But like it or not, open source encryption, perfect or not, is the best privacy we are probably ever going to get.